OTPulse
FeedAboutContact

Siemens SIMOTION

Monitor4.6ICS-CERT ICSA-23-166-04Jun 13, 2023
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIMOTION motion control devices contain an information disclosure vulnerability (CWE-213) that allows extraction of confidential technology object (TO) configuration data from the device. The vulnerability affects SIMOTION C240, D410-2, D425-2, D435-2, D445-2, D455-2, and P320-4 controllers running firmware versions 5.4 through 5.5 (pre-SP1). An unauthenticated attacker with physical access to the device can read sensitive configuration by exploiting low security level settings (Security Level Low via Service Selector Switch position 8 or PSTATE program configuration). This allows disclosure of proprietary control logic, process parameters, and technology object configurations. The vulnerability requires no network access and is not remotely exploitable.

What this means
What could happen
An attacker with physical access to a SIMOTION device could extract confidential technology object configuration data without authentication, exposing proprietary control logic and process parameters.
Who's at risk
Manufacturers and operators of automation systems using Siemens SIMOTION motion control devices should be concerned. This affects SIMOTION C240, D410-2, D425-2, D435-2, D445-2, D455-2, and P320-4 controllers used in assembly lines, packaging systems, conveyor systems, and other automated machinery where process logic and parameters must remain confidential for competitive or operational security reasons.
How it could be exploited
An attacker with physical access to the device can read sensitive configuration data directly from SIMOTION memory or storage without providing credentials. The attack requires manipulating the Service Selector Switch to a low security position or using SIMOTION.ini settings to disable security protections.
Prerequisites
  • Physical access to the SIMOTION device
  • Ability to manipulate Service Selector Switch or modify SIMOTION.ini configuration file
  • Device must be running firmware version 5.4 or later up to (but not including) 5.5 SP1
Information disclosure of proprietary control logicNo patch available for D445-2 DP/PN (some versions) and P320-4 E/SRequires physical access (reduces exploit likelihood)No authentication required when physical access is gainedLow exploit complexity
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (13)
10 with fix3 EOL
ProductAffected VersionsFix Status
SIMOTION C240≥ vers:/ V5.4<V5.5 SP15.5 SP1
SIMOTION C240 PN≥ vers:/ V5.4<V5.5 SP15.5 SP1
SIMOTION D410-2 DP≥ vers:/ V5.4<V5.5 SP15.5 SP1
SIMOTION D410-2 DP/PN≥ vers:/ V5.4<V5.5 SP15.5 SP1
SIMOTION D425-2 DP≥ vers:/ V5.4<V5.5 SP15.5 SP1
SIMOTION D425-2 DP/PN≥ vers:/ V5.4<V5.5 SP15.5 SP1
SIMOTION D435-2 DP≥ vers:/ V5.4<V5.5 SP15.5 SP1
SIMOTION D435-2 DP/PN≥ vers:/ V5.4<V5.5 SP15.5 SP1
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDEnsure Security Level Low (Service Selector Switch position 8 or PSTATE program setting) is never used in production environments; maintain Security Level High in operational systems
HARDENINGRestrict physical access to SIMOTION devices in production facilities; implement access controls to the device enclosure and console ports
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

SIMOTION C240
HOTFIXUpdate SIMOTION C240, C240 PN, D410-2 DP, D410-2 DP/PN, D425-2 DP, D425-2 DP/PN, D435-2 DP, D435-2 DP/PN, and D455-2 DP/PN devices to firmware version 5.5 SP1 or later
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: SIMOTION D445-2 DP/PN, SIMOTION P320-4 E, SIMOTION P320-4 S. Apply the following compensating controls:
HARDENINGFor SIMOTION D445-2 DP/PN and P320-4 E/S devices (no patch available), maintain strict physical access controls and high security level configuration as the only available mitigation
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/bdbb7d4b-5597-4e8b-96fe-a3b33155c59c